Cryptography services are typically provided in computing systems to support various security needs. These cryptography services employ different cryptography techniques and algorithms as needed to perform certain actions.
Cryptography techniques may be categorized as either symmetric cryptography or asymmetric cryptography. With symmetric cryptography, the same secret key is used for both encryption and decryption. This means that the symmetric key needs to be shared between the encrypting party and the decrypting party. Any party having a copy of the symmetric key may therefore decrypt and read a message. Hence, there is a need to protect and maintain control over the symmetric key. Security is provided through the protection of the key being used by the sender and the receiver. As long as only the sender and receiver know the secret symmetric key value, the message is protected (assuming a robust encryption algorithm and a cryptographically safe key size/seed are used).
Asymmetric cryptography (public key cryptography) is typically based on a “key pair”. Here, one key in the pair is referred to as the “public” key. As the public directory, for example. The other key is referred to as the “private” key. Also consistent with its name, the private key is meant to be kept secret and secure by the party. Although the two keys are mathematically related, the private key cannot be determined from the public key, or at least doing so would likely be computationally infeasible.
Encryption and signing are two typical operations associated with public key cryptography. Data that is encrypted using a public key can only be decrypted using the associated private key and vice versa. Signing allows one to verify the source of a piece of data. Signing does not, however, protect the data from being viewed by anyone who has access to the sender's public key. In asymmetric cryptography, security is provided through the protection of the private keys.
Asymmetric cryptography is also often employed to provide authentication, non-repudiation and data integrity security mechanisms. Authentication provides assurance that a message was actually sent by the party indicated. Non-repudiation provides assurance that a sender cannot later deny having sent certain data. Data Integrity provides assurance that a message was not modified prior to reaching its destination.
These security mechanisms are typically provided by using a hash function in conjunction with public key cryptography. A hash function is basically an encoding scheme that is quick to compute and results in a relatively short numeric representation of the message that was hashed. Hash functions can be used to provide data integrity. First, a hash function is a one-way function, which means that one cannot retrieve the message from the resulting hash value. Second, the slightest change to the original message will result in a clearly detectable change of the hash value.
Some processes use a hash function in conjunction with public key cryptography to provide a security service often referred to as “signing” that ensures authentication and non-repudiation. For example, in certain systems, when a user signs a message, a hash of the message is calculated and then encrypted using the sender's private key. The resulting encrypted hash is referred to as the “digital signature”. The original plaintext message, the digital signature, and the sender's certificate which contains the sender's public signing key are then sent to the recipient. Once received, the digital signature is decrypted using the sender's public key that was sent along with the message in the form of a certificate. The receiving client also generates a hash value for the plaintext message using the same hash function as did the sender. After the signature of the sender is decrypted with the sender's public key and the hash value recovered, the recovered hash value can then be compared with the generated hash value to detect differences. If the two hash values match, then the message must have originated from the sender who posses the private key. Hence, this provides authentication and non-repudiation. Furthermore, since this technique reliably detects if the message was changed/tampered during transit, data integrity is provided.
Cryptography services such as these and others are often handled “automatically” by the processes running on computing devices. This means, however, that such processes and/or users are sometimes not aware of the type of algorithm/key being used, nor if such algorithms/keys may be less secure than others that are available for use.
Consequently, for such reasons and others, there is a need for methods and apparatuses that can inform certain processes and/or even the user about the relative strength/weakness of cryptography services being used.